Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Bail out in case userspace uses registers over maximum number of register.
>
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nf_tables_api.c | 23 ++++++++++++++++++-----
> 1 file changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index d71a33ae39b3..829ecd310ae6 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -9275,17 +9275,24 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
> }
> EXPORT_SYMBOL_GPL(nft_parse_u32_check);
>
> -static unsigned int nft_parse_register(const struct nlattr *attr)
> +static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg)
> {
> unsigned int reg;
>
> reg = ntohl(nla_get_be32(attr));
> + if (reg >= NFT_REG32_NUM)
> + return -ERANGE;
> +
This breaks userspace.
NFT_REG32_00 is 8, so this makes NFT_REG32_13, 14 and 15 invalid.
